CCPA/CPRA Violations at Scale: Enforcement Gaps in California Privacy Law

CCPA/CPRA Violations at Scale: Enforcement Gaps in California Privacy Law California passed the strongest privacy law in America. A new survey finds companies — including Google and Meta — are violating it at industrial scale. Enforcement has been minimal. The Violations The Markup and webXray's April 2026 investigation tested opt-out compliance across 7,634 popular websites. Researchers visited each site from a California IP address with the Global Privacy Control (GPC) signal enabled — a legally recognized opt-out mechanism the California Attorney General has explicitly endorsed. The results were damning: Google trackers continued collecting data in 86% of instances despite receiving the opt-out signal Meta/Facebook trackers fired in 69% of cases; the report found they simply never checked for the signal at all Microsoft failed to honor the signal 50% of the time Google-certified Consent Management Platforms — tools supposed to help websites comply — failed to prevent Google cookies 90%+ of the time in one case 35 data brokers hid their opt-out pages from search engines using "no-index" tags, as The Markup and CalMatters previously documented webXray estimates total potential liability exposure at billions of dollars if the CPPA fined every violating site The researchers concluded this was "industrial-scale noncompliance with California requirements." These are not edge cases. These are the largest advertising and technology companies on earth, systematically ignoring a law that has been on the books since 2020. How They Get Away With It: Dark Patterns Noncompliance is engineered into the user experience. Companies deploy specific dark patterns to minimize opt-out rates while maintaining a veneer of compliance: Pre-checked consent boxes buried in preference centers, making "consent" the default "Reject All" buttons hidden behind 3-5 additional clicks while "Accept All" is a single click away Asymmetric button design: highlighted, colored "Accept" buttons vs. Gray, low-contrast "Reject" links Privacy preference center links relegated to the website footer in 6-point font, while the cookie banner dominates the viewport Login walls: some sites require users to create an account and authenticate before they can submit a CCPA opt-out request, which the CPPA has explicitly ruled illegal Broken backends: the Todd Snyder enforcement action revealed a cookie preference center that disappeared instantly, preventing any consumer action The CPPA fined Tractor Supply $1.35M for an opt-out webform that appeared to work but had no actual effect on third-party trackers. American Honda paid $632,500 for requiring two clicks to opt out but only one to accept. These are the tip of the iceberg. This is consistent with what dark patterns research has documented across the industry. What CCPA/CPRA Actually Gives You The California Consumer Privacy Act, as amended by the California Privacy Rights Act, grants five core rights. Understanding them is the first step to using them: Right to Know: You can request any business disclose the categories and specific pieces of personal information they have collected about you, where they got it, why they have it, and who they share it with. Businesses must respond within 45 days. You can make this request twice a year free of charge. In practice, 43% of data brokers simply ignore these requests entirely, per UC Irvine research cited by the EFF. Right to Delete: You can request a business delete your personal information and direct its service providers to do the same. Exceptions apply (legal obligations, transaction completion), but the burden is on the business to prove the exception applies. Right to Opt-Out of Sale or Sharing: You can tell a business to stop selling your personal information or sharing it for cross-context behavioral advertising. This includes the right to use the Global Privacy Control (GPC) as a legally binding opt-out signal. Businesses must honor it within 15 days and cannot ask you to confirm. Right to Non-Discrimination: Businesses cannot charge you more, provide a different level of service, or deny goods or services because you exercised your CCPA rights. However, they can offer financial incentives tied to data collection — with your opt-in consent. Right to Correct: You can request a business correct inaccurate personal information it holds about you. Private Right of Action (Data Breaches Only): This is the critical limitation. You can sue a business only if it fails to maintain reasonable security and your non-encrypted personal information is breached. Damages range from $100 to $750 per consumer per incident, or actual damages. Everything else — dark patterns, ignored opt-outs, unlawful tracking — is solely the CPPA's or the Attorney General's responsibility to enforce. You cannot sue for it. Google's Secret Lobbying Campaign While publicly maintaining neutrality on privacy legislation, Google has waged an aggressive behind-the-scenes lobbying war against California privacy bills. CalMatters revealed in September 2025 that Google secretly organized small business owners to oppose Assembly Bill 566, which would require browsers like Chrome to provide automatic opt-out capabilities. Google used proxies like the Connected Commerce Council (3C) — a group that claims to represent 15,000 small businesses but lists Google and Amazon as funders — to generate opposition without public fingerprints. Google spent $10.7 million in Q3 2024 alone on California lobbying — more than it had spent in the previous 20 years combined. In 2025, it disclosed nearly $700,000 specifically targeting bills including AB 566. It paid the California Chamber of Commerce nearly $100,000 to lobby on its behalf. The company registered to lobby 17 privacy-related bills but publicly stated a position on only one. The strategy is simple: block, delay, and weaken enforcement before consumers ever see a bill. The Enforcement Gap: CPPA vs. GDPR The California Privacy Protection Agency has brought roughly a dozen formal enforcement actions since gaining enforcement authority in July 2023. Notable actions include: Company / Fine / Violation ————- / ——— / —————- Disney / $2.75M / GPC opt-out failure Tractor Supply / $1.35M / Broken opt-out webform PlayOn Sports / $1.1M / Student tracking, no opt-out American Honda / $632,500 / Asymmetric cookie consent Todd Snyder / $345,178 / Broken preference center The CPPA's 2025 annual report shows a budget of $15.8 million and 54 employees. This is the agency responsible for policing every data broker, every website, and every business that collects personal information from 39 million Californians. Compare that to the EU's GDPR enforcement: European data protection authorities issued approximately EUR 1.2 billion in fines in 2025 alone, matching 2024's total. Since 2018, cumulative GDPR fines exceed EUR 5.65 billion. Meta alone has been fined EUR 1.2 billion (for unlawful US data transfers) and EUR 390 million (for forced advertising consent). Ireland's DPC has issued EUR 3.5 billion in fines since 2018 — more than four times every CPPA action combined. The CPPA's budget is roughly $15M/year. The companies it regulates have market capitalizations exceeding $100 billion. Under California law, statutory penalties are $2,500 per unintentional violation and $7,500 per intentional violation. If the CPPA had the resources to fine every site webXray found violating the law, the theoretical liability would run into the billions. Instead, the agency can bring a handful of cases per year. Fines are treated as a cost of doing business. The Broader Landscape of US State Privacy Laws California is not alone anymore, but the patchwork that has emerged highlights how far enforcement still has to go: California (CCPA/CPRA): Strongest consumer rights in the US, dedicated enforcement agency, private right of action for data breaches only. But underfunded enforcement. Virginia (VCDPA): Effective 2023. Provides the standard rights (access, delete, opt-out) but no private right of action at all. Enforced solely by the Attorney General. 30-day cure period. Colorado (CPA): Effective 2023. Requires universal opt-out mechanism recognition. Enforced by AG and district attorneys. Stronger than Virginia but still no private right of action. Connecticut (CTDPA): Effective 2023. Similar rights to Colorado. Participated in the first multi-state coordinated enforcement sweep with California and Colorado in September 2025. Utah (UCPA): Effective 2023. Business-friendly. Lower thresholds, weaker consumer rights, no right to correction, no data protection assessment requirement. 2024-2025 Laws: Texas, Iowa, Indiana, Tennessee, Montana, Oregon, and more have passed laws with varying strength. As of 2026, 20 states have comprehensive privacy laws in effect. The IAPP tracker shows that new laws in Indiana, Kentucky, and Rhode Island took effect January 1, 2026. The Critical Difference: California is the only state with a private right of action, and even that is limited to data breaches. Every other state relies entirely on Attorney General enforcement. None have a dedicated privacy agency like the CPPA. None have the staffing or budget to meaningfully police digital privacy at scale. The Enforcement Gap Analysis The fundamental problem is structural. The CCPA's private right of action — the most powerful enforcement tool in any US privacy law — only covers data breaches. Everything else depends on the CPPA or the California Attorney General. Neither has the resources. The EFF has documented extensively what this gap means in practice: California's data broker registry lists over 500 registered brokers, but UC Irvine researchers found 43% failed to even respond to access requests. The EFF separately identified 291 data brokers registered in other states that appear to have skipped registering in California entirely. The CPPA's Data Broker Enforcement Strike Force, launched November 2025, is a step forward, but it is one team against an industry of hundreds. The solution space has two paths. A federal privacy law with a broad private right of action would let consumers enforce their own rights — but Congress has failed to pass comprehensive privacy legislation for over a decade, and the current political climate makes it less likely than ever. The alternative is dramatically increasing CPPA funding. California's budget surplus debates have never prioritized privacy enforcement, but the math is clear: every dollar spent on CPPA enforcement generates orders of magnitude more in compliance pressure and consumer protection. What You Can Do Despite weak enforcement, individual opt-out requests remain effective — if you follow up. Here is the process: Enable Global Privacy Control in your browser. It is legally recognized as a binding opt-out request under California law. If a site ignores it, document it and file a complaint. Submit CCPA requests directly to companies. Use the "Do Not Sell or Share My Personal Information" link (legally required on every covered business's homepage). If it is missing or broken, that itself is a violation. Use the California DROP system. The Delete Act's Delete Request and Opt-Out Platform launched January 2026, allowing California residents to send deletion and opt-out requests to every registered data broker in a single submission. File a complaint with the CPPA when a company ignores your request. The EFF has a detailed guide. Consumer complaints drove the Tractor Supply, Honda, and Todd Snyder investigations. Each enforcement action started with someone filing a report. Follow up every 45 days. The law requires a response within 45 days (extendable to 90 with notice). No response is a violation. The California data broker opt-out tool can automate some of the process. The complete data deletion guide covers removal steps beyond California law. The law gives you rights. The enforcement gap is real. But rights you exercise are rights you protect. Submit the requests. File the complaints. Follow up. The CPPA's enforcement record shows that persistent consumers trigger investigations. The system works when you work it. The FTC's 2026 strategic plan signals more aggressive federal enforcement, but progress remains slow. The law exists. The enforcement does not — unless you demand it.